Generating Advanced hunting queries with PowerShell

I was recently writing some advanced hunting queries for Microsoft Defender ATP to search for the execution of specific PowerShell commands. If you are just looking for one specific command, you can run query as sown below But if you are looking for several functions, then there is going to be a lot of manual editing, and so the idea was born to use PowerShell to help me generate an advanced hunting query. The below Read More …

Advance your Microsoft Defender ATP hunting skills using the Atomic execution framework

Hello everyone, during the past months I took a closer look at MITRE ATT&CK to advance my hunting skills using Microsoft Defender Advanced Threat Protection. For those not familiar with MITRE ATT&CK, in short, it is a knowledge base knowledge base of adversary tactics and techniques based on real-world observations. To familiarize myself with MITRE ATT&CK, I first started reading through all the tactics and techniques, to be honest while reading, I often couldn’t resists Read More …

Microsoft Defender ATP Advanced Hunting – Who’s logging on with local admin rights?

If you’re among those administrators that use Microsoft Defender Advanced Threat Protection, here’s a handy tip how to find out who’s logging on with local administrators’ rights. But first when would you want to run this? Well here are some scenarios I can think of: You want to find users that have local administrator rights on their devices. You introduced LAPS and instructed your IT support to no longer use their own credentials but use Read More …